topic Re: Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Ser in Developer

Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Service

opensky — Sat, 23 Jun 2018 00:08:55 GMT

Hello,

I am looking for some help getting RLS to work with embedded Power BI and AAS. Here is the scenario:

Deploying as App-owns-data
RLS setup with roles in AAS (RLS not configured in PBI)
Power BI using a live connection to AAS
Using Javascript to embed a Power BI report into a webpage

I verified that the roles are restricting data as expected by connecting to AAS using the Power BI client and Excel.

Able to successfully retrieve an access token from: https://login.microsoftonline.com/common/oauth2/token

Able to generate an embed token by hitting: https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

With the embed token I am able to successfully embed a report with no RLS applied.

However, when attempting to use identities to apply roles or customData to trigger RLS, the data doesn’t seem to pass through to AAS and the RLS is not applied.

I'm creating the embed token by hitting:

https://api.powerbi.com/v1.0/myorg/groups/<groupId>/reports/<reportId>/GenerateToken

With this data:

formData = {

"accessLevel": "View",

"identities": [

{

"username": userName,

"roles": [ role ],

"customData":customData,

"datasets": [ datasetId ]

}

]

}

Using the generated token doesn’t cause RLS to be applied when the report is embedded.

By adding the username and customData fields to a PBI report I can see that the username that AAS sees is the master account that is used for getting the access token, not the effective username passed in the identities payload. The customData value doesn’t show up in the report either.

I also tried the PowerBIEmbedded_AppOwnsData sample project from here: https://github.com/Microsoft/PowerBI-Developer-Samples/tree/master/App%20Owns%20Data/PowerBIEmbedded_AppOwnsData

This sample project successfully embeds the report but when I select the “View as a different user” and add a user and role I get the following error:

{"error":{"code":"InvalidRequest","message":"Creating embed token for accessing dataset <id> requries effective identity username to be identical to the caller's principal name"}}

For additional reference, the dataset has the these properties set:

isRefreshable: false,

isEffectiveIdentityRequired: true,

isEffectiveIdentityRolesRequired: false,

isOnPremGatewayRequired: false

Any suggestions on what I am doing wrong? Thanks for any help!

Re: Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Ser

v-jiascu-msft — Tue, 26 Jun 2018 07:04:47 GMT

Hi @opensky,

Please refer to embedded-row-level-security#working-with-analysis-services-live-connections. I think you can get the solutions there.

Best Regards,

Dale

Re: Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Ser

opensky — Tue, 26 Jun 2018 14:45:58 GMT

Thank you for the response Dale. I did review that documentation before posting to this forum but have not been able to figure out what I am doing wrong.

I've seen conflicting messages in posts and in the MSFT documentation, can you confirm:

1. Are roles supported in Azure Analysis Services when using PBI embed tokens? (RLS not defined in PBI)

2. Is CustomData supported in Azure Analysis Services when using PBI embed tokens?

Thanks!

Re: Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Ser

v-jiascu-msft — Tue, 10 Jul 2018 13:25:22 GMT

Hi @opensky,

The documentation is quite clear.

1. Please refer to developer/embedded-row-level-security#considerations-and-limitations.

>>>Azure Analysis Services live connections support filtering by roles, but not dynamic by username. Dynamic filtering can be done using CustomData.

2. Please refer to the blue Note in embedded-row-level-security#working-with-analysis-services-live-connections.

>>>The CustomData feature will only work for models that reside in Azure Analysis Services, and it only works in live mode. Unlike users and roles, the custom data feature can't be set inside a .pbix file. When generating a token with the custom data feature you must a have user name.

Best Regards,

Dale

Re: Unable to get RLS security to work with an “app owns data” embedded PBI using Azure Analysis Ser

abhijitger — Fri, 03 Aug 2018 11:50:32 GMT

Hi @opensky

There are a couple of settings that you need to get right .

In the below representation of embed token "username" should always be the Master /service account which is a power bi pro account . The dataset in Power BI should be configured using this account .

"roles" attribute should contain the rolename that you have configured in your Azure AS model .

"Customdata" attribute should contain the username for whom you want to process the report.

The DAX expression for the AS ROLE should use CUSTOMDATA() function instead of USERNAME()

formData = {

"accessLevel": "View",

"identities": [

{

"username": master/Service account,

"roles": [ rolename ],

"customData":user@domain.com,

"datasets": [ datasetId ]

}

]

}